World entity access is not sound

[odanek]

Bevy version

0.5

Operating system & version

Windows 10

What you did

The World entity api allows use after free

use bevy::prelude::*;

struct Name(String);

fn test(world: &mut World) {
    let mut entity = world.spawn();
    entity.insert(Name("Test".to_string()));
    let name = entity.get::<Name>().unwrap();    
    entity.despawn(); // Or entity.remove::<Name>();
    println!("{}", name.0); // This line should be a compile error
}

fn main() {
    App::build()
        .add_system(test.exclusive_system())
        .run();
}

What you expected to happen

The code should not compile

What actually happened

The code compiles without any errors or warnings

[DJMcNab]

There's a fix in #3001

[alice-i-cecile]

Despite that, we may want a smaller, tightly scoped fix to this problem for now.

[alice-i-cecile]

This will be fixed by #3685 (the scoped fix mentioned above).

Nope, this fixes #3147 instead.

[cart]

Yup this is pretty heinous. Not pretty, but we could probably quickly fix this by making despawn use a borrow and "internally" invalidating the entity ref?

// we still don't return &mut Self, which makes misusing EntityMut via the "builder pattern" style harder
fn despawn(&mut self) {
  self.invalid = true;
  // despawn here
}

fn insert_bundle<B: Bundle>(&mut self, Bundle) -> &mut Self {
  if self.invalid { panic!() }
  // insert here
}

[cart]

But before rolling with that I'd like to consider #3001 first.

[odanek]

Yup this is pretty heinous. Not pretty, but we could probably quickly fix this by making despawn use a borrow and "internally" invalidating the entity ref?

This does not fix the remove case though

let name = entity.get::<Name>().unwrap();    
entity.remove::<Name>();
println!("{}", name.0);

[cart]

Groosssss. I suppose we could tighten the lifetimes by tying them to EntityMut's lifetime.

[cart]

Thats what #3001 does.

[odanek]

Yes, that could work, as far as I can tell.